CWE-359 Details

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor
Incomplete
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Benachrichtigungen für ein CWE
Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.
Benachrichtigungen verwalten

Name: Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Allgemeine Informationen

Einführungsmodi

Architecture and Design : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Implementation
Operation

Anwendbare Plattformen

Sprache

Class: Not Language-Specific (Undetermined)

Technologien

Class: Mobile (Undetermined)

Häufige Konsequenzen

Bereich Auswirkung Wahrscheinlichkeit
ConfidentialityRead Application Data

Beobachtete Beispiele

Referenzen Beschreibung

CVE-2023-29850

Library management product does not strip Exif data from images

CVE-2020-26220

Customer relationship management (CRM) product does not strip Exif data from images

CVE-2005-0406

Some image editors modify a JPEG image, but the original EXIF thumbnail image is left intact within the JPEG. (Also an interaction error).

Mögliche Gegenmaßnahmen

Phases : Requirements
Phases : Architecture and Design
Phases : Implementation // Operation

Erkennungsmethoden

Architecture or Design Review

Wirksamkeit : High

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Wirksamkeit : High

Automated Static Analysis

Tools are available to analyze documents (such as PDF, Word, etc.) to look for private information such as names, addresses, etc.

Hinweise zur Schwachstellen-Zuordnung

Begründung : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Kommentar : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Verwandte Angriffsmuster

CAPEC-ID Name des Angriffsmusters
CAPEC-464 Evercookie
An attacker creates a very persistent cookie that stays present even after the user thinks it has been removed. The cookie is stored on the victim's machine in over ten places. When the victim clears the cookie cache via traditional means inside the browser, that operation removes the cookie from certain places but not others. The malicious code then replicates the cookie from all of the places where it was not deleted to all of the possible storage locations once again. So the victim again has the cookie in all of the original storage locations. In other words, failure to delete the cookie in even one location will result in the cookie's resurrection everywhere. The evercookie will also persist across different browsers because certain stores (e.g., Local Shared Objects) are shared between different browsers.
CAPEC-467 Cross Site Identification
An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing).
CAPEC-498 Probe iOS Screenshots
An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. This attack targets temporary screenshots created by the underlying OS while the application remains open in the background.
CAPEC-508 Shoulder Surfing
In a shoulder surfing attack, an adversary observes an unaware individual's keystrokes, screen content, or conversations with the goal of obtaining sensitive information. One motive for this attack is to obtain sensitive information about the target for financial, personal, political, or other gains. From an insider threat perspective, an additional motive could be to obtain system/application credentials or cryptographic keys. Shoulder surfing attacks are accomplished by observing the content "over the victim's shoulder", as implied by the name of this attack.

Hinweise

This entry overlaps many other entries that are not organized around the kind of sensitive information that is exposed, such as CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer. However, because privacy is treated with such importance due to regulations and other factors, and it may be useful for weakness-finding tools to highlight capabilities that detect personal private information instead of system information, it is not clear whether - or how - this entry should be deprecated.

Referenzen

REF-6

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, Gary McGraw.
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

REF-338

AOL man pleads guilty to selling 92m email addies
J. Oates.
https://www.theregister.com/2005/02/07/aol_email_theft/

REF-339

Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122)
NIST.
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf

REF-340

Safe Harbor Privacy Framework
U.S. Department of Commerce.
https://web.archive.org/web/20010223203241/http://www.export.gov/safeharbor/

REF-341

Financial Privacy: The Gramm-Leach Bliley Act (GLBA)
Federal Trade Commission.
https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act

REF-342

Health Insurance Portability and Accountability Act (HIPAA)
U.S. Department of Human Services.
https://www.hhs.gov/hipaa/index.html

REF-343

California SB-1386
Government of the State of California.
http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

REF-267

FIPS PUB 140-2: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES
Information Technology Laboratory, National Institute of Standards and Technology.
https://csrc.nist.gov/files/pubs/fips/140-2/upd2/final/docs/fips1402.pdf

REF-172

Mobile App Top 10 List
Chris Wysopal.
https://www.veracode.com/blog/2010/12/mobile-app-top-10-list

REF-1047

General Data Protection Regulation
Wikipedia.
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

REF-1048

California Consumer Privacy Act (CCPA)
State of California Department of Justice, Office of the Attorney General.
https://oag.ca.gov/privacy/ccpa

REF-1515

What to Know About EXIF Data, a More Subtle Cybersecurity Risk
Chester Avey.
https://www.isaca.org/resources/news-and-trends/industry-news/2025/what-to-know-about-exif-data-a-more-subtle-cybersecurity-risk

REF-1516

McAfee's Rookie Mistake Gives Away His Location
Ben Weitzenkorn.
https://www.scientificamerican.com/article/mcafees-rookie-mistake/

Einreichung

Name Organisation Datum Veröffentlichungsdatum Version
7 Pernicious Kingdoms 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Änderungen

Name Organisation Datum Kommentar
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2009-03-10 +00:00 updated Other_Notes
CWE Content Team MITRE 2009-07-27 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2009-12-28 +00:00 updated Other_Notes, References
CWE Content Team MITRE 2010-02-16 +00:00 updated Other_Notes, References
CWE Content Team MITRE 2011-03-29 +00:00 updated Other_Notes
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-09-13 +00:00 updated Other_Notes, References
CWE Content Team MITRE 2012-05-11 +00:00 updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2013-02-21 +00:00 updated Applicable_Platforms, References
CWE Content Team MITRE 2014-02-18 +00:00 updated Alternate_Terms, Demonstrative_Examples, Description, Name, Other_Notes, References
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Modes_of_Introduction, References, Relationships
CWE Content Team MITRE 2018-03-27 +00:00 updated Relationships
CWE Content Team MITRE 2019-01-03 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2020-02-24 +00:00 updated Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Potential_Mitigations, References, Relationships, Type
CWE Content Team MITRE 2020-08-20 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated References
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-11-19 +00:00 updated Description, Diagram, Other_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated References
CWE Content Team MITRE 2025-12-11 +00:00 updated Alternate_Terms, Detection_Factors, Maintenance_Notes, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships, Weakness_Ordinalities
Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.